How to generate and export a report on the group memberships of a specific Active Directory (AD) user
The following is a comparison between the steps required for generating a report on the group memberships of an AD user with the Get-ADPrincipalGroupMembership cmdlet of Windows PowerShell and ADManager Plus.
Windows PowerShell
Steps to obtain a report on an AD user's group memberships using PowerShell:
- Choose which domain you want to generate the report for.
- Select the LDAP filters that you'll use as parameters for generating the report.
- Within the Property parameter, specify additional user object properties that should appear in the report.
- Establish the format in which you want to export the report.
- Double-check that you've adhered to the appropriate syntax when writing the script.
- Use Windows PowerShell to compile and execute the script.
- To generate the report in a different format, or to add additional properties to the reports, modify the script accordingly.
Sample Script:
Copied
Get-ADPrincipalGroupMembership $JohnDoe | Select-Object -Property Name, GroupScope, GroupCategory | Export-Csv -Path "C:\Scripts\Users.csv" -NoTypeInformation
Click to copy entire script
ADManager Plus
To obtain the report:
- Select the Groups for Users report from the Nested Groups column of the User Reports section.
- Select the Domain and select the specific AD user/users whose group memberships you want to determine.
- Generate the report. Use the Export As option to export the report in any of the desired format—CSV, PDF, XLSX, HTML and CSVDE.
Screenshot
» Start 30-day Free Trial
In Active Directory, the Get-ADPrincipalGroupMembership cmdlet helps retrieve the AD group memberships of users. However, using a script with the Get-ADPrincipalGroupMembership cmdlet to retrieve group membership details of a specific user can prove to be a difficult task because:
- Minute syntax errors or typographical errors can lead to execution failures.
- Retrieving group memberships of a specific user using the Get-ADPrincipalGroupMembership cmdlet involves a global catalog to carry out a group search. If the forest in which the user or group exists does not contain a global catalog, then the cmdlet will throw a non-terminating error.
- Searching for local groups in other domains requires scripts to include the ResourceContextServer parameter to mention an alternate server in that domain.
- Adding more details to the report—such as adding additional attributes or obtaining the group memberships of multiple users —require scripts to be modified and executed again, which is time-consuming.
- Exporting a report in a specific format requires a script to be modified accordingly, which increases the complexity of the script.
- Troubleshooting these scripts require extensive AD and scripting expertise.
- These scripts can only be executed from computers which have Active Directory Domain Services role.
Therefore, a better and easier way to generate AD reports is by using ADManager Plus, an Active Directory management and reporting tool.
ADManager Plus is a web-based solution for all your AD, Exchange, Skype for Business, Google Workspace, and Office 365 management needs. It simplifies several routine tasks such as provisioning users, cleaning up dormant accounts, managing NTFS and share permissions, and more. Besides reporting, you can also build a custom workflow structure that will assist you in ticketing and compliance, automate routine AD tasks such as user provisioning and de-provisioning, and more. Download a free trial today to explore all these features.
Highlights of using ADManager Plus to generate AD reports
ADManager Plus simplifies the process of AD reporting by:
- Providing script-free reporting.
- Offering over 150 pre-packaged AD reports that cover the most important information about all AD objects.
- Allowing you to create your own report using the custom reports feature.
- Letting you automatically generate reports using the report scheduler. You can also choose to email these reports or store them at a specific location.
- Enabling on-the-fly management tasks to be performed from within those reports. For instance, perform actions like delete, disable, move, etc, on inactive users generated from the inactive users reports.